Professional Documents
Culture Documents
DATA RECOVERY
Contents
ABSTRACT...................................................................................................................................................... 2 CHAPTER ONE: INTRODUCTION TO THE PROJECT ........................................................................................ 3 1.1 1.2 1.3 1.4 PROJECT OVERVIEW...................................................................................................................... 3 PROJECT AIMS AND OBJECTIVES................................................................................................... 3 ASSUMPTIONS .............................................................................................................................. 4 EVALUATION OF JONATHANS COMPUTER CRIME ....................................................................... 5
CHAPTER TWO: THE INVESTIGATION PROCESS ............................................................................................ 6 2.1 OVERVIEW OF THE FORENSIC INVESTIGATION PROCESS ................................................................... 6 2.2 AUTHORIZATION AND PREPARATION................................................................................................. 7 2.2.1 AUTHORIZATION .......................................................................................................................... 7 2.2.2 PREPARATION .............................................................................................................................. 8 2.3 IDENTIFICATION .................................................................................................................................. 9 2.4 COLLECTION AND PRESERVATION .................................................................................................... 10 2.5 EXAMINATION AND ANALYSIS .......................................................................................................... 18 2.5.1 RECOVERING ANY DELETED MATERIALS .................................................................................... 19 2.5.2 RECOVERED MATERIALS ............................................................................................................ 21 2.5.3 EXTRACTION OF THE MATERIAL FOUND.................................................................................... 21 2.6 RECONSTRACT ................................................................................................................................... 22 2.7 REPORT.............................................................................................................................................. 24 FORENSICS REPORT ............................................................................................................................. 24 INVESTIGATION FINDINGS .................................................................................................................. 24 EXAMINATION SUMMARY .................................................................................................................. 24 CONCLUSION ....................................................................................................................................... 25 3.0 EXECUTIVE SUMMARY .......................................................................................................................... 25 4.0 Appendix. .............................................................................................................................................. 26 5.0 REFERENCES .......................................................................................................................................... 28
YUSUPH KILEO
Page 1
DATA RECOVERY
ABSTRACT
The project entails recovering crucial documents that an unsatisfied employee, Jonathan deleted before leaving the company. Jonathans crime was evaluated and analyzed to determine how he committed the crime in order to craft proficient ways of recovering the lost file. Proper planning was done before conducting the investigation in order to ensure strict adherence to investigation procedure. Finally the investigation evidence proved that Jonathan did delete the important documents which the investigation team managed to recover.
YUSUPH KILEO
Page 2
DATA RECOVERY
YUSUPH KILEO
Page 3
DATA RECOVERY
1.3 ASSUMPTIONS
Bukit Enterprises is a company located in the United Kingdom. Investigators found Jonathans computer on. Jonathan was using win XP as an operating system. Jonathan has installed WinRAR software to his computer (Encryption tool). Jonathan has no personal data left in the computer. Jonathan saved the research documents using word pad. Jonathan encrypted the documents before deleted them. Jonathan protected the documents with password using his name. Jonathan did not first enquire about reasons for management escalating Steven over him.
YUSUPH KILEO
Page 4
DATA RECOVERY
YUSUPH KILEO
Page 5
DATA RECOVERY
YUSUPH KILEO
Page 6
DATA RECOVERY
The focus of forensic investigation is to acquire evidence that would be used in a legal proceeding, forensic investigators must have authorization to carry out the investigation otherwise the evidence would as aforementioned not be admissible (Kleiman et al, 2007 P.8 of 939). The forensic investigator has been appointed by the Companys IT department as the head of the investigation team to search and recover deleted materials from the computer that Jonathan used while still working for Bukit Enterprises. For formalization, the investigator should request from the company a written permission thats allow the investigator to search Jonathans computer which would outline reasons as to why Jonathans previously used computer is searched and investigated. It is also common knowledge that before any forensic investigation, investigators must foremost obtain a judicial permission, search warrant that gives them a go ahead with the investigation. For example if forensic investigators are investigating a case where someone is suspected of selling drugs, a search warrant must be obtained from the authority concerned to allow the investigator to procedure with the searching and investigating the case. Since Jonathan was no longer a part of the company there was no reasons for search warrantee and instead the investigator would request for a formal written authorization from the Company management to carry out the investigation. The letter must entail that the investigator is hired to search Jonathans computer and justification as to why the search must be conducted must also be provided. To further validate the investigation procedure, the investigator should have a third party present for example an attorney to certify that the investigators have been hired by Bukit Enterprises to conduct a search on Jonathans former computer while still with the Company.
YUSUPH KILEO
Page 7
DATA RECOVERY
2.2.2 PREPARATION The preparation phase is where the investigator finalizes on the formation of the investigation team. The team would be divided into the phases of investigation so as to have an investigator responsible for a specific phase of investigation. Though the appointed investigators would be working with the team, they would be in charge of those phases to ensure that proper procedures are followed throughout the investigation process. A chain of custody would also be created at this stage, not all investigation team members will be in the chain custody, this is because the fewer people to handle the investigations crucial documents the better; it increases accountability. The chain of custody would be documented outlining all handlers of important investigation documents including the evidence.
ELECTRONIC EVIDENCE CHAIN OF CUSTODY FORM Case No: Page: COLLECTED EVIDENCE
CATEGORY NAME TRACKING COLLECTED FROM NUMBER
Of:
CHAIN OF CUSTODY
TRACKING NUMBER FROM(Location) DATE AND TIME REASON TO(Location)
DATA RECOVERY
The preparation phase also entails highlighting the investigation team on the case and what is expected to them during the investigation, this is to enable the investigation team to psychologically prepare for the case as well as to be familiar with the laws of the United Kingdom where the forensic investigation is taken place. The investigation team would also prepare any materials that may be useful in the case, hardware and software. Even though, the investigation team have not assessed Jonathans computer, due to their experiences in the field, the investigation team would prepare materials that are likely to be required in the investigation such as necessary software application and hardware that might be helpful during the investigation process.
2.3 IDENTIFICATION
The identification phase is the phase that will allow investigators to spot any materials that may be suspicious and may contain evidence. This materials may be hardware such as compact discs, floppy disks hard disks etc. or it may be fragile data in digital form such as emails, log files, images etc. The investigation team would check the log files of the computer which was used by Jonathan where they would recognize that he has deleted some files just a few hours before he left the Company. They would also find digital images in his computer and due to their experience in the field; the team would suspect them of being steganography images. The last phase of the identification team is whereby the investigation team identifies the investigation requirements. This pertains to tools or software that would be useful in the investigation process. This is because having identified this items the team would have an idea of what Jonathan actually did and hence would know what forensic tools to prepare which will allow the investigation process to be carried out smoothly.
YUSUPH KILEO
Page 9
DATA RECOVERY
COLLECTION
Having identified items that may contain the evidence of Jonathans crime, the investigation team would proceed to collecting the evidence. Conducting forensic investigations procedurally is aimed at acquiring accurate evidence. Therefore, investigators would ensure that the collected evidence is not tampered with. Digital data is very fragile, it can be easily altered therefore the following principles would be employed to insure that the collected evidence is rather accurate: Investigators should wear the gloves during the entire collection process to avoid biometric tempering of the evidence. Jonathans computer should not be switched off. This will allow the investigators to carry out investigation without tempering with the state that the computer was found at. There would be no installation of forensic software on the machine. (Vacca, 2005 P. 18 of 832) mentions that care must be taken that no malicious software is launched into the subject machine. Installing any software may introduce some malicious software hence tampering with the evidence.
YUSUPH KILEO
Page 10
DATA RECOVERY
The investigator has to take the image of the PC that was used by Jonathan this is due to the reasons the investigator should not temper with the evidence as shown on the (Vacca, 2005 P. 18 of 832) it is very crucial for forensic investigators to preserve the original evidence, they could easily perform all the operations in Jonathans computer but it is best practice for investigators to preserve the original evidence and an image is created as a copy of the original evidence and hence would be the one investigated.
CREATING THE IMAGE OF JONATHANS COMPUTER
The above figure shows how Jonathan Computer was seen before the investigation process began.
From Jonathan Computer the image will be takes to allow the forensic investigation process to take place.
YUSUPH KILEO
Page 11
DATA RECOVERY
The above screen would appear after launching the FTK Imager lite. It must be noted that the aforementioned forensic tool runs from an external hard drive rather than from the subject machine. Rom The File Create the image will be pressed ready to create Jonathan Computers Image with FTK.
Here is where the forensic investigator would chose the drive that image is to be created.
YUSUPH KILEO
Page 12
DATA RECOVERY
The above figure is where the image is added to the required drive that will be stored ready for the investigation. And the below figure is where an appropriate selection of the image time would be selected.
YUSUPH KILEO
Page 13
DATA RECOVERY
YUSUPH KILEO
Page 14
DATA RECOVERY
The Image Is started to be created to the destination. This process takes some time, it depends with the speed that data is transferred.
The above screen shows the MD5 and SHA1 files of the image.
YUSUPH KILEO
Page 15
DATA RECOVERY
YUSUPH KILEO
Page 16
DATA RECOVERY
YUSUPH KILEO
Page 17
DATA RECOVERY
The image files would then be exported to an external media, where all the investigation would be carried out.
YUSUPH KILEO
Page 18
For analysis and examination the forensic team would use the Active@ Undelete program which checks the system for any deleted materials and then recovers them. In this case, it is already known that Jonathan already deleted the materials which make it easier for the forensics team. The selection of Active@ Undelete program is based due to the reason that Active@ UNDELETE is powerful data recovery software that helps you to recover deleted files and restore deleted partitions. The software can support windows XP, Windows Vista, Windows 7 and Windows 2003 server Operating systems. With the software these can be done:
Recover deleted files and folders Restore deleted partitions Create a Disk Image for safe data restoration Perform an Advanced Scan and organize the result using Document View and Recovery Toolkit
Write recovered data directly to a CD/DVD avoiding dangerous hard drive activity Perform batch file recovery Virtually reconstruct broken or disassembled RAID arrays Restore data from damaged RAID arrays Edit disk content with Hex Editor Preview deleted files before restoring
YUSUPH KILEO
Page 19
DATA RECOVERY
YUSUPH KILEO
Page 20
The recovered materials would be filtered and the RAR file will be extracted as the file founded was encrypted with RAR software which an investigator suspected the file would be the one with the required materials that Bukit Enterprises claimed to be deleted by Jonathan Before quitting the company. In addition to that the file found to be protected with password which an investigator would need to crack the password so that the material inside could be seen.
Since the material found happen to be encrypted with password using the WinRAR software the extraction of the material would be required the Win RAR software which has ability to decrypt the encrypted files. At the same time the file required the password which an investigator would use Jonathan (name of the person who deleted the documents) to open the documents.
Then after the password has been entered to allow the encrypted documents to be seen, the reconstruction is to be done as the documents has to be examined who committed and how and why the crime was committed.
YUSUPH KILEO
Page 21
DATA RECOVERY
2.6 RECONSTRACT
The investigative reconstruction leads to a more complete picture of a crime this is the phase where by the determination of what happened to the crime who committed the crime how and why the crime was committed is founded. It normally involves three things namely functional analysis, Relational analysis and temporal analysis which will eventual provide a clear picture of the crime. For this particular case what happened is that the sensitive files of Bukit enterprises where deleted from Jonathans computer before he left the company due to the reasons that he was not promoted as he was expecting. It is also crystal clear that Jonathan was the one deleted the files as the files were under his supervision before quitting the company. The deleted the files were founded to be encrypted and password protected which brings a clear picture that Jonathan used RAR archive to encrypt and hide before deleting the files. He did this with an aim of ensuring that the files would not be recovered easily as he believed the decryption might be difficult if there could be any chance to recover them.
YUSUPH KILEO
Page 22
DATA RECOVERY
Functional Analysis: Jonathans computer found to be installed software like RAR archive that can perform encryption. This lead to the suspect of the deleted file to be hidden before deleted. Relational Analysis: The Computer which founded the deleted file was used by Jonathan. He quite the company without handing over the files that was required and it was clearly seen that Jonathan was unsatisfied with the decision of not being promoted. All these together made an easy conclusion that he would be the one whom deleted the files before he quit the job. Temporal Analysis: Most operating systems keep track of the creation, last modification and access times of files and folders.Below is the time line to show the sequence of events. Date 21 02 - 2006 17 01 - 2010 19 01 - 2011 20 01 - 2011 21 01 - 2011 29 01 - 2011 30 01 - 2011 Event Jonathan started to work with Bukit Enterprises.(Base on ussumption) He worked with other deffernt projects which were delivered succecifully. He started working with the project which he didnt deliver as he was expected to. He resiged from the company. And he deleted the project that he was working on from the computer that he was using. IT manager wrote an authorization letter to an investigator to investigates the computer for the deleted files and recover them. An Investigator started to work on investigating the crime and recovering the deleted files as required. The deleted files was succesifuly recovered from Jonathans Computer from the image that was taken from it. The report was generated for futher forensic action towards Jonathan and submited to the IT maneger.
YUSUPH KILEO
Page 23
DATA RECOVERY
2.7 REPORT
FORENSICS REPORT
CASE: BUKIT ENTERPRISES VS JONATHAN CASE NUMBER: C0001 INTRODUCTION This report was requested by the IT department of Bukit Enterprises to confirm the alleged claim against Jonathan that he intentionally deleted crucial company document just before his volunteered resignation.
INVESTIGATION FINDINGS
From the investigation process, the investigation team recovered encrypted files. The files was encrypted with RAR file which requested for a password to open the contained document as the RAR file was protected with password before deleted. The evidence was found on the 30th January 2011 from the image of Mr. Jonathans computer which was acquired on the 28 January 2011. The evidence is in good condition and there are no signs of it being tampered with.
EXAMINATION SUMMARY
The tools that have been used during the entire investigation proses were Forensic Toolkit IMAGER Lite (The software that does not need installation when used) this was due to the investigation process which does not allow tempering to the evidence. The software was involved on collection of image from Jonathans computer. Active Undelete and Win RAR were the other tools used to during the investigation process which was effectively used to provide the recovery of the files and decrypt them as they were encrypted before deletion. All these tools were very helpful in collecting accurate and precise evidence as shown in the preservation stage.
YUSUPH KILEO Page 24
From the evidence it is evident that Jonathan is guilty of the alleged offence.
YUSUPH KILEO
Page 25
DATA RECOVERY
4.0 Appendix.
Chain of Custody Form
Page: 01
Of:01
COLLECTED EVIDENCE
TRACKING COLLECTED FROM NUMBER 001 Jonathans Computer
Forensic investigation.
Computer Image
CHAIN OF CUSTODY
TRACKING NUMBER 001 FROM(Location) DATE AND TIME Bukit Jalil Enterprises Company LTD 28 January 2011 [At 13: 25 HRS] REASON TO(Location)
To Investigate and recover suspected deleted documents from the Computer users Documents.
Investigation Department.
YUSUPH KILEO
Page 26
DATA RECOVERY
Letter of authorization
Bukit Enterprises LTD, Kingston Block 3, London. U.K Date: 20 -01 - 2011
Yusuph A. Kileo ,
Dear Sir, I hereby authorize you to lead the investigation team to investigate and recover suspected deleted files from Mr Jonathans Computer on behalf of Bukit enterprises, in order to enable father Forensic procedure to be taken over him. I kindly Allow you to work on the matter as soon as you can so that to allow the job to be done as it will be required to be completed as soon as possible.
YUSUPH KILEO
Page 27
DATA RECOVERY
5.0 REFERENCES
1. Kleiman .D.Cardwell. K., Clinton T.,Cross M., Gregg M.,Versalone J., Wright C.,(2007) The Official CHFI Exam 312-49 Syngress Punlishing, Burlington
2. Varcca.J.,(2005) Computer Forensics Computer Crime Scene Investigation, Syngress Punlishing, Charles River Media
3. Standard Guide for the Recovery of Trace Evidence, Technical Working Group for Materials, Quantico, VA, 1998
4. Walker.C.,
5. Radclife.M., (2010) Ownership of copyrights Court [online] Accessed 29th January 2011 07:34 Available from http://library.findlaw.com/1999/Jan/1/241478.html 6. McCullagh.D., (2007) Police Blotter [online] Accessed 30th January 2011 02:39 Available from http://news.cnet.com/Police-blotter-Ex-employee-sued-for-deleting-
files/2100-7348_3-6171274.html
YUSUPH KILEO
Page 28